How to Reissue and Replace an SSL Certificate in Plesk

If your SSL certificate has been compromised, contains incorrect details, or you've changed your server configuration, you may need to reissue and replace it. This guide walks you through the process in Plesk for both free Let's Encrypt and paid third-party certificates.

Reissuing a free Let's Encrypt certificate

Let's Encrypt certificates are the easiest to reissue since Plesk handles most of the process automatically through the SSL It! extension.

1. Log in to your Plesk control panel.
2. Go to Websites & Domains and select the domain that needs the new certificate.
3. Click SSL/TLS Certificates.
4. Find the currently installed Let's Encrypt certificate and click Reissue Certificate.
5. Confirm your domain coverage options:
   • Secure the main domain name
   • Include the www subdomain
   • Secure webmail (if applicable)
   • Include wildcard coverage (if needed)
6. Click Get it free to generate and install the new certificate.
7. Plesk will validate your domain automatically via DNS or HTTP and install the replacement certificate within a few minutes.

Replacing a paid (third-party) SSL certificate

For certificates purchased from providers like Comodo, DigiCert, or GoDaddy, the reissue process involves your certificate authority (CA).

1. Contact your certificate authority and request a reissue. You'll typically need to provide a reason (key compromise, domain change, etc.).
2. The CA may require a new CSR. To generate one in Plesk, go to Websites & Domains > your domain > SSL/TLS Certificates > Manage > Add SSL/TLS Certificate and fill in your details.
3. Submit the new CSR to your CA and complete their validation process.
4. Once you receive the reissued certificate files (.crt or .pem), return to Plesk.
5. Go to Websites & Domains > your domain > SSL/TLS Certificates.
6. Click Manage under "Download or remove existing certificates."
7. Click Add SSL/TLS Certificate, upload the new certificate file (and CA bundle if provided), then click Upload Certificate.
8. Go to Hosting Settings for the domain and select the newly uploaded certificate from the Certificate dropdown.
9. Click OK to apply.

Important notes

• Let's Encrypt certificates auto-renew every 60–90 days when the SSL It! extension is active. Manual reissue is only needed if something goes wrong.
• After replacing a paid certificate, verify the installation using an online checker like SSL Shopper.
• If visitors see a security warning after replacement, clear your browser cache or wait a few minutes for the new certificate to propagate.
• Always keep a backup of your private key — without it, your certificate cannot be installed.

Troubleshooting

• Reissue button is greyed out: The certificate may still be processing. Wait a few minutes and refresh the page.
• Let's Encrypt validation fails: Check that your domain's DNS points to the correct server IP and that no firewall is blocking port 80.
• New certificate not showing: Make sure you selected it in Hosting Settings. The old certificate may still be assigned.
• "Certificate chain is incomplete" error: You need to include the CA bundle (intermediate certificate) when uploading a paid certificate.